constellai 0.3.5 → 0.3.7

package/.next/trace-build

@@ -1 +1 @@
-[{"name":"run-webpack","duration":26815952,"timestamp":190799899484,"id":14,"parentId":1,"tags":{},"startTime":1782510503049,"traceId":"bc7cc12461eca835"},{"name":"run-typescript","duration":12000260,"timestamp":190826723198,"id":7670,"parentId":1,"tags":{},"startTime":1782510529873,"traceId":"bc7cc12461eca835"},{"name":"static-check","duration":1542436,"timestamp":190838901609,"id":7673,"parentId":1,"tags":{},"startTime":1782510542051,"traceId":"bc7cc12461eca835"},{"name":"static-generation","duration":3346027,"timestamp":190841194366,"id":7783,"parentId":1,"tags":{},"startTime":1782510544344,"traceId":"bc7cc12461eca835"},{"name":"collect-build-traces","duration":11536388,"timestamp":190840447211,"id":7780,"parentId":1,"tags":{},"startTime":1782510543597,"traceId":"bc7cc12461eca835"},{"name":"telemetry-flush","duration":42,"timestamp":190851987658,"id":7792,"parentId":1,"tags":{},"startTime":1782510555137,"traceId":"bc7cc12461eca835"},{"name":"next-build","duration":52206246,"timestamp":190799781460,"id":1,"tags":{"buildMode":"default","version":"16.2.9","bundler":"webpack","has-custom-webpack-config":"false","use-build-worker":"true"},"startTime":1782510502931,"traceId":"bc7cc12461eca835"}]
+[{"name":"run-webpack","duration":28308283,"timestamp":276127696865,"id":14,"parentId":1,"tags":{},"startTime":1782595829996,"traceId":"ad93f9f314c29a48"},{"name":"run-typescript","duration":14486864,"timestamp":276156010895,"id":7671,"parentId":1,"tags":{},"startTime":1782595858310,"traceId":"ad93f9f314c29a48"},{"name":"static-check","duration":1755511,"timestamp":276170709852,"id":7674,"parentId":1,"tags":{},"startTime":1782595873009,"traceId":"ad93f9f314c29a48"},{"name":"static-generation","duration":3914775,"timestamp":276173483920,"id":7784,"parentId":1,"tags":{},"startTime":1782595875783,"traceId":"ad93f9f314c29a48"},{"name":"collect-build-traces","duration":12968077,"timestamp":276172468841,"id":7781,"parentId":1,"tags":{},"startTime":1782595874768,"traceId":"ad93f9f314c29a48"},{"name":"telemetry-flush","duration":93,"timestamp":276185442467,"id":7793,"parentId":1,"tags":{},"startTime":1782595887742,"traceId":"ad93f9f314c29a48"},{"name":"next-build","duration":57862680,"timestamp":276127579889,"id":1,"tags":{"buildMode":"default","version":"16.2.9","bundler":"webpack","has-custom-webpack-config":"false","use-build-worker":"true"},"startTime":1782595829879,"traceId":"ad93f9f314c29a48"}]

package/CHANGELOG.md

@@ -12,6 +12,68 @@ may still introduce breaking changes while the platform stabilises.
 
 ---
 
+## [0.3.7] — "Open source: full source goes public"
+
+Constella goes **fully open-source**: the public GitHub repo now carries the complete `src/`, not a
+source-less compiled mirror. A pre-publication scrub and third-party licensing are in place.
+
+### Open source
+- **Full source published.** `scripts/publish-public.mjs` now ships the whole source tree (`src/`, `bin/`,
+  `scripts/`, the native skills library, configs, generated migrations) — excluding only test config
+  (`e2e`/`tests`/Playwright) and the internal release guide (the per-locale `PUBLISHING.md`). No committed
+  build: the compiled `.next` still reaches users through the npm tarball, not git.
+- **`THIRD_PARTY_LICENSES.md`** added at the root — indexes every bundled Agent Skill by license (Apache-2.0
+  © Anthropic, MIT © Leonxlnx, and the proprietary Anthropic document skills), each folder keeping its own
+  authoritative `LICENSE`.
+
+### Changed
+- **Pre-publication scrub.** Neutralised third-party brand mentions and removed personal paths / example PII
+  from the code and docs (the `skills/` content keeps its own references — those are public web skills).
+
+### Docs
+- Re-framed the published docs for the open-source flow (the public repo is full source, not a disposable
+  compiled mirror) and corrected stale "VPS runs in Docker" claims to the real **native** model
+  (npm + systemd + Tailscale).
+
+---
+
+## [0.3.6] — 2026-06-26 — "Hardening pass"
+
+A whole-project code review — **security, correctness and robustness**. Highlights:
+
+### Security
+- **Operator-account takeover closed.** The signup takeover guard keyed off the `.env` flag ALONE; a
+  restored/copied `constella.db` (flag absent, credential present) let an unauthenticated caller reset the
+  operator's password. The DB credential is now the source of truth (signup action **and** login screen).
+- **Secret scanning hardened.** The commit/export scan now catches GitHub fine-grained PATs (`github_pat_…`);
+  the public-publish scan covers `.cjs/.cts` files and iterates ALL matches of validated patterns (a
+  placeholder no longer hides a real secret later in a file).
+- **Web-research allowlist** re-validates the FINAL url host after redirects (and matches port-bearing hosts).
+- **Live-inspect spoofing closed** — the canvas only trusts a `live:select` message from its own iframe.
+
+### Fixed
+- **RAG reindex** no longer wipes curated KB-entry chunks (scoped to non-KB chunks).
+- **Runner:** a null-assignee task can't deadlock the queue; an agent isn't left stuck "working" after a throw;
+  a relay failure can't abort a task's own bookkeeping; the "update available" notice stops re-appearing after
+  you dismiss it.
+- **Telegram:** a failed ingest no longer drops the operator's message (offset advances only on success); the
+  inline-button allowlist is default-deny.
+- **Dev server:** detached process group (a clean stop no longer orphans the real server) + an in-flight boot
+  lock (no second server spawned on a concurrent start).
+- **Local models:** stopping the chat server (:8082) no longer also kills the RAG embedding server (:8083).
+- **Dates:** report + profile no longer render far-future (year-57000) timestamps.
+- Plus markdown-patch `$`-escaping, prerelease-aware update checks, a stdin-EPIPE crash guard, and a long tail
+  of data/UI/script fixes.
+
+### Changed
+- **VPS one-click self-update hardened:** invoke the SAME absolute npm/systemctl the sudoers rule uses, scope
+  the rule to `constellai@latest` (drop the `@*` wildcard), and always (re)write the drop-in so a stale one
+  self-heals.
+- **Docs:** an honest **compatibility status** in the README (Windows primary · Linux experimental · macOS
+  untested · portable in validation) + a **[roadmap](docs/roadmap.md)** skeleton.
+
+---
+
 ## [0.3.5] — 2026-06-26 — "VPS update polish"
 
 ### Fixed
@@ -97,7 +159,7 @@ Telegram.
   animations files and `<link>`s them; the canvas **inlines** them (the sandbox only renders inline CSS) and the
   production build bundles + minifies/obfuscates. Clean modular source, working live preview.
 - **Domain/style-aware RAG + skill selection** — Grace extracts keywords from the brief, mission, objective, attached
-  mock and your message, expands them through a domain+style lexicon (hotel → booking/hospitality; "Apple/iOS" →
+  mock and your message, expands them through a domain+style lexicon (hotel → booking/hospitality; "native mobile" →
   glassmorphism/microinteractions/premium type) and **ranks the seeded skills** by name/tags/description, telling her
   to read the most relevant ones first — not a flat generic list.
 - **The Design → Grace → Ada → Execution flow.** A planner **design gate** holds a frontend/visual plan until the UI is

package/README.md

@@ -5,7 +5,7 @@
 
 <p align="center">
   <a href="#-quickstart"><img alt="npx constella" src="https://img.shields.io/badge/npx-constellai-7c3aed?style=for-the-badge&logo=npm&logoColor=white"></a>
-  <img alt="version" src="https://img.shields.io/badge/version-0.3.5-22d3ee?style=for-the-badge">
+  <img alt="version" src="https://img.shields.io/badge/version-0.3.7-22d3ee?style=for-the-badge">
   <img alt="node" src="https://img.shields.io/badge/node-%E2%89%A520-3fb950?style=for-the-badge&logo=node.js&logoColor=white">
   <img alt="license" src="https://img.shields.io/badge/license-MIT-a78bfa?style=for-the-badge">
   <img alt="agent CLIs" src="https://img.shields.io/badge/agent%20CLIs-claude%20%C2%B7%20codex%20%C2%B7%20%2B8-e879f9?style=for-the-badge">
@@ -32,6 +32,12 @@ Real `claude` / `codex` agents that plan, build, review and ship — on your mac
 > 24/7 — writing real code in a real workspace, using local or cloud models, with budgets, skills,
 > RAG memory, GitHub/Telegram integration and a deploy pipeline. **Nothing is faked.**
 
+> ⚙️ **Compatibility status** — Constella is young and not yet tested in every environment:
+> - **Windows** — primary platform (developed + tested here)
+> - **Linux** — experimental; works normally, still in active testing
+> - **macOS** — not tested yet (no Mac on hand 😅)
+> - **Portable (USB) mode** — in validation
+
 <p align="center"><img src="docs/assets/divider-orbit.svg" alt="" width="100%"/></p>
 
 ## 🪐 What is Constella?

package/README.pt-BR.md

@@ -5,7 +5,7 @@
 
 <p align="center">
   <a href="#-início-rápido"><img alt="npx constella" src="https://img.shields.io/badge/npx-constellai-7c3aed?style=for-the-badge&logo=npm&logoColor=white"></a>
-  <img alt="version" src="https://img.shields.io/badge/version-0.3.5-22d3ee?style=for-the-badge">
+  <img alt="version" src="https://img.shields.io/badge/version-0.3.7-22d3ee?style=for-the-badge">
   <img alt="node" src="https://img.shields.io/badge/node-%E2%89%A520-3fb950?style=for-the-badge&logo=node.js&logoColor=white">
   <img alt="license" src="https://img.shields.io/badge/license-MIT-a78bfa?style=for-the-badge">
   <img alt="agent CLIs" src="https://img.shields.io/badge/CLIs%20de%20agente-claude%20%C2%B7%20codex%20%C2%B7%20%2B8-e879f9?style=for-the-badge">
@@ -33,6 +33,12 @@ Agentes `claude` / `codex` reais que planejam, constroem, revisam e entregam —
 > com orçamentos, skills, memória RAG, integração com GitHub/Telegram e um pipeline de deploy. **Nada é
 > falso.**
 
+> ⚙️ **Status de compatibilidade** — a Constella é nova e ainda não foi testada em todos os ambientes:
+> - **Windows** — plataforma principal (desenvolvida + testada aqui)
+> - **Linux** — experimental; funciona normalmente, em fase de testes
+> - **macOS** — não testado (não tenho um Mac 😅)
+> - **Modo pen-drive (portátil)** — em validação
+
 <p align="center"><img src="docs/assets/divider-orbit.svg" alt="" width="100%"/></p>
 
 ## 🪐 O que é a Constella?

package/THIRD_PARTY_LICENSES.md

@@ -0,0 +1,64 @@
+# Third-party licenses
+
+Constella itself is **MIT** (see [LICENSE](LICENSE)). The bundled **Agent Skills** under `skills/` are
+third-party content and are redistributed under their own licenses. Each skill folder keeps its authoritative
+`LICENSE` / `LICENSE.txt` — those files are the source of truth; this page is a convenience index.
+
+---
+
+## Apache-2.0 — © Anthropic, PBC
+
+Official Anthropic Agent Skills, redistributed under the Apache License 2.0 (each folder retains the full
+license text):
+
+- `skills/design/algorithmic-art`
+- `skills/design/brand-guidelines`
+- `skills/design/interface-composition-playbook`
+- `skills/design/pet-companion-animation-rows-reference-guide`
+- `skills/design/pet-companion-codex-companion-contract-reference-guide`
+- `skills/design/pet-companion-orientation-guide`
+- `skills/design/pet-companion-playbook`
+- `skills/design/pet-companion-qa-rubric-reference-guide`
+- `skills/design/theme-factory`
+- `skills/design/uupm-ui-styling`
+- `skills/front-end/canvas-design`
+- `skills/front-end/claude-api`
+- `skills/front-end/frontend-design`
+- `skills/front-end/internal-comms`
+- `skills/front-end/mcp-builder`
+- `skills/front-end/skill-creator`
+- `skills/front-end/slack-gif-creator`
+- `skills/front-end/web-artifacts-builder`
+- `skills/front-end/webapp-testing`
+
+Apache-2.0: <https://www.apache.org/licenses/LICENSE-2.0>
+
+## MIT — © Leonxlnx
+
+Design playbooks redistributed under the MIT License (each folder retains its `LICENSE`):
+
+- `skills/design/composition-taste-interface-playbook`
+- `skills/design/composition-taste-interface-v1-playbook`
+- `skills/design/full-delivery-enforcement-playbook`
+- `skills/design/gpt-taste-playbook`
+- `skills/design/high-end-visual-composition-playbook`
+- `skills/design/identity-kit-playbook`
+- `skills/design/imagecraft-interface-mobile-playbook`
+- `skills/design/imagecraft-interface-web-playbook`
+- `skills/design/industrial-raw-ui-playbook`
+- `skills/design/minimal-ui-playbook`
+- `skills/design/refresh-existing-projects-playbook`
+- `skills/design/stitch-composition-taste-playbook`
+- `skills/design/stitch-playbook-composition-journal`
+- `skills/design/visual-to-code-playbook`
+
+## Anthropic document skills — proprietary notice — © Anthropic, PBC
+
+The document skills below carry "© Anthropic, PBC. All rights reserved" (use governed by your agreement with
+Anthropic). They are **not** MIT/Apache. They are redistributed here as obtained from Anthropic's public
+skills repository; each folder keeps its original `LICENSE.txt`, which is the authoritative term:
+
+- `skills/front-end/docx`
+- `skills/front-end/pdf`
+- `skills/front-end/pptx`
+- `skills/front-end/xlsx`

package/bin/constella-update.mjs

@@ -55,7 +55,13 @@ const PORT = String(arg("--port") || process.env.PORT || state.port || "3000");
 let LAUNCHER = Number(arg("--pid") || process.env.CONSTELLA_LAUNCHER_PID || state.launcherPid || 0);
 
 const log = (...a) => { if (!QUIET) console.log(...a); };
-const sleep = (ms) => { try { Atomics.wait(new Int32Array(new SharedArrayBuffer(4)), 0, 0, ms); } catch { /* no SAB → skip */ } };
+const sleep = (ms) => {
+  try { Atomics.wait(new Int32Array(new SharedArrayBuffer(4)), 0, 0, ms); return; } catch { /* no SAB → busy-wait */ }
+  // Fallback when SharedArrayBuffer is unavailable (sandbox / hardened runtime): a real blocking wait. The old
+  // no-op return made the graceful-shutdown loops spin instantly → an immediate SIGKILL that skipped run.json
+  // cleanup + the child-kill cascade.
+  const end = Date.now() + ms; while (Date.now() < end) { /* block */ }
+};
 const alive = (p) => { try { process.kill(p, 0); return true; } catch { return false; } };
 const psout = (s) => { try { return execFileSync("powershell", ["-NoProfile", "-Command", s], { timeout: 9000, windowsHide: true }).toString(); } catch { return ""; } };
 const ints = (s) => s.split(/\r?\n/).map((x) => +x.trim()).filter((n) => n > 0);
@@ -116,16 +122,21 @@ function relaunch() {
 // So here we update via `sudo -n` and then let systemd cycle the unit (it stops this whole cgroup — us
 // included — and starts fresh on the new code). No kill-by-pid, no relaunch: systemd owns the process.
 const SERVICE = process.env.CONSTELLA_SERVICE || "constella";
+// Invoke the SAME absolute npm/systemctl the sudoers rule was written with (vps-install.sh passes them via the
+// service env), so `sudo -n` matches the NOPASSWD entry even when sudo's secure_path resolves a bare `npm`/
+// `systemctl` to a different path. Falls back to the bare name (unchanged behavior) when the env isn't set.
+const NPM = process.env.CONSTELLA_NPM_PATH || "npm";
+const SYSTEMCTL = process.env.CONSTELLA_SYSTEMCTL_PATH || "systemctl";
 
 function vpsInstall(target) {
   const opt = { stdio: QUIET ? "ignore" : "inherit", windowsHide: true, cwd: SAFE_CWD };
   for (let i = 0; i < 4; i++) {
-    log(`• sudo npm install -g ${target}  (attempt ${i + 1}/4)…`);
+    log(`• sudo ${NPM} install -g ${target}  (attempt ${i + 1}/4)…`);
     // Prefer passwordless sudo (root-owned global prefix). Fall back to plain npm in case the prefix is
     // already user-writable (a user-level npm prefix) — then no sudo is needed at all.
-    let r = spawnSync("sudo", ["-n", "npm", "install", "-g", target], opt);
+    let r = spawnSync("sudo", ["-n", NPM, "install", "-g", target], opt);
     if (r.status === 0) return true;
-    r = spawnSync("npm", ["install", "-g", target], { ...opt, shell: true });
+    r = spawnSync(NPM, ["install", "-g", target], { ...opt, shell: true });
     if (r.status === 0) return true;
     sleep(3000);
   }
@@ -138,14 +149,15 @@ function restartUnit() {
   // code. The result file is already "done", so the reconnecting UI sees success. If sudo/systemctl isn't
   // available (a non-systemd container), this no-ops and the host keeps running the old code until a manual
   // restart — `Restart=always` does NOT help here because we didn't crash.
-  try { spawnSync("sudo", ["-n", "systemctl", "restart", SERVICE], { stdio: QUIET ? "ignore" : "inherit" }); } catch { /* manual restart needed */ }
+  try { spawnSync("sudo", ["-n", SYSTEMCTL, "restart", SERVICE], { stdio: QUIET ? "ignore" : "inherit" }); } catch { /* manual restart needed */ }
 }
 
 if (MODE === "vps") {
   result({ status: "running" });
   if (QUIET) sleep(1200);                  // let the UI receive the response + start polling
-  const v = arg("--version") || "latest";
-  const target = `${PKG}@${/^\d+\.\d+\.\d+/.test(v) ? v : "latest"}`; // only a real semver or @latest (sudoers-scoped)
+  // Always @latest on a VPS: the NOPASSWD sudoers rule is scoped to EXACTLY `constellai@latest` (no `@*`
+  // wildcard that could span into extra args), and the button only ever wants the newest release.
+  const target = `${PKG}@latest`;
   const okv = vpsInstall(target);
   result({ status: okv ? "done" : "error" });
   log(okv ? "✓ Installed — restarting the service." : "✖ Update failed — run by hand: sudo npm i -g constellai@latest && sudo systemctl restart constella");

package/bin/constella.mjs

@@ -153,7 +153,7 @@ async function pickUsbHome() {
 const PKG = "constellai"; // npm package name (the CLI command/bin stays `constella`)
 const args = process.argv.slice(2);
 const has = (f) => args.includes(f);
-const flag = (f) => { const i = args.indexOf(f); return i >= 0 ? args[i + 1] : undefined; };
+const flag = (f) => { const i = args.indexOf(f); if (i < 0) return undefined; const v = args[i + 1]; return v && !v.startsWith("-") ? v : undefined; }; // a value-less option (e.g. `--port --onboarding`) must not swallow the next flag as its value
 const rawCmd = args.find((a) => !a.startsWith("-")); // the bare subcommand the user typed (if any)
 const cmd = rawCmd ?? "";
 

package/bin/worker.mjs

@@ -41,6 +41,7 @@ if (!isLoopback && !ALLOW_REMOTE) {
 if (!isLoopback && ALLOW_REMOTE && new URL(BASE).protocol !== "https:") {
   console.warn(`• CONSTELLA_BASE_URL is a remote http:// host (${baseHost}) — the worker secret will travel in cleartext. Use https://.`);
 }
+if (!SECRET) console.error("✖ CONSTELLA_WORKER_SECRET is empty — every privileged worker call (tick · sync · telegram) will be rejected (401) and nothing scheduled will run. Set it in ~/.constella/.env, then restart.");
 const headers = (SECRET && (isLoopback || ALLOW_REMOTE)) ? { "x-worker-secret": SECRET } : {};
 
 /* ---- 24/7 tick ---- */

package/docs/UPDATE.md

@@ -4,8 +4,8 @@
 
 ![](./assets/divider-orbit.svg)
 
-**Current stable release: `v0.3.5`** — a VPS updates itself in one click (now correctly labelled + reliably
-enabled). See what changed in the [Changelog](../CHANGELOG.md) (the Update module also shows it inline as
+**Current stable release: `v0.3.7`** — Constella goes **fully open-source**: the public repo now carries the
+complete source. See what changed in the [Changelog](../CHANGELOG.md) (the Update module also shows it inline as
 “What's new”).
 
 > This is the page the **Update** module's “docs” button opens. It tells you, in plain terms, how to move Constella
@@ -24,6 +24,22 @@ it didn't earn: the updater writes the real result and the screen reflects it tr
 Latest first. The in-app **Update** module shows the changelog inline as “What's new”; this is the same history, kept
 here so the “docs” button always shows what each release added. Full detail: [Changelog](../CHANGELOG.md).
 
+### v0.3.7 — open source
+- **Constella is now fully open-source** — the public GitHub repo carries the complete source (`src/` and all),
+  not a source-less compiled mirror. A pre-publication scrub neutralised third-party brand mentions and removed
+  personal paths / PII, and a root **`THIRD_PARTY_LICENSES.md`** indexes every bundled skill's license.
+- Docs re-framed for the open-source flow + corrected stale "VPS = Docker" claims to the real native model
+  (npm + systemd + Tailscale).
+
+### v0.3.6 — hardening pass
+- A whole-project code review (**security · correctness · robustness**): closed an operator-account takeover
+  (restored-DB path), hardened secret scanning (fine-grained PATs, `.cjs/.cts`, redirect re-validation), fixed
+  a RAG reindex that wiped curated KB chunks, a runner queue deadlock + a stuck "working" agent, a dropped
+  Telegram message, dev-server process-group + double-spawn, the year-57000 dates — among many others.
+- **VPS one-click update hardened** — absolute npm/systemctl paths, sudoers scoped to `constellai@latest`, a
+  self-healing drop-in.
+- Docs: an honest **compatibility status** + a **roadmap** skeleton.
+
 ### v0.3.5 — VPS update polish
 - Dropped the inaccurate **"(Docker)"** label — VPS mode is **native** (systemd + Tailscale, no Docker).
 - Fixed the passwordless self-update drop-in being **skipped at setup** (`visudo` wasn't on the non-root PATH), so

package/docs/en/AI_ARCHITECTURE.md

@@ -143,7 +143,7 @@ When this clean dir is active, `claudeSettingsArgs()` returns `[]` (the dir alre
 | `start` (local dev) | `true` | `bypassPermissions` (install + run tests) | `danger-full-access` |
 | `auth` / `vps` / `portable` (prod) | `false` | `acceptEdits` (edits only, no net/exec) | `workspace-write` (no network) |
 
-> Prod already runs inside Docker + Tailscale (the container is the hard jail). The CLI stays restricted on top for defense-in-depth.
+> Prod already runs on a private host behind Tailscale (the tailnet-only host is the hard boundary). The CLI stays restricted on top for defense-in-depth.
 
 ### Web research 🌠
 
@@ -339,7 +339,7 @@ opencode auth list        # detectCliAuth("opencode")
 - **shell:false for git/gh** — real executables run with `shell: false` so client-influenced branch/message/path args can't be re-parsed by a shell.
 - **Vanilla hooks** — `disableAllHooks` keeps an operator's plugins/hooks out of agent runs (voice + behavior isolation).
 - **Command guard** — `bin/guard-hook.mjs` (default ON) blocks catastrophic shell (`rm -rf /`, force-push, `mkfs`, fork-bomb).
-- **Permission jail in prod** — `acceptEdits` (no net/arbitrary exec) on top of Docker + Tailscale.
+- **Permission jail in prod** — `acceptEdits` (no net/arbitrary exec) on top of the Tailscale-private host.
 - **Secret scrub** — chat replies pass through `scrubSecrets` before they're stored / shown / sent to Telegram.
 - **Prompt-injection hardening** — Telegram + attached-file clauses mark operator input as DATA, never instructions.
 

package/docs/en/CHAT_COMMANDS.md

@@ -212,7 +212,7 @@ Every command parsed by `runSlashCommand`, grouped by category. "Responds as" is
 /graph SPEC-01
 /reindex
 /curate
-/new-goal a billing page with Stripe checkout
+/new-goal a billing page with payment-provider checkout
 /new-work add 2FA to the login screen
 /generate-plan migrate the database to Postgres
 /approve

package/docs/en/CONFIGURATION.md

@@ -314,7 +314,7 @@ node scripts/mcp-server.mjs
 - `src/lib/scrub.ts` scrubs `CONSTELLA_VAULT_KEY`, `BETTER_AUTH_SECRET` and `CONSTELLA_WORKER_SECRET` before KB ingest, Telegram and logs.
 - The worker enforces a **loopback-only SSRF guard** on `CONSTELLA_BASE_URL`.
 - `process.env` always overrides the `.env` file — operators control configuration via the shell/Docker/systemd, not via an attacker-writable file.
-- Agent permissions degrade safely: full access only with `--start` (your own machine); `--vps`/`--portable` stay jailed (Docker + Tailscale as the hard jail). Authentication (email + password) is required on every target. See [SECURITY](./SECURITY.md).
+- Agent permissions degrade safely: full access only with `--start` (your own machine); `--vps`/`--portable` stay jailed (the host + Tailscale tailnet as the hard boundary). Authentication (email + password) is required on every target. See [SECURITY](./SECURITY.md).
 
 ---
 

package/docs/en/DESIGN.md

@@ -96,7 +96,7 @@ The **Docs** rail renders Grace's written documentation as markdown: `design-sys
 ## RAG & skill selection 🌌
 
 Grace doesn't read a flat skill list. She **extracts keywords** from the brief, mission, objective, attached mock and
-your message, **expands** them through a domain + style lexicon (hotel → booking / hospitality / rooms; "Apple/iOS" →
+your message, **expands** them through a domain + style lexicon (hotel → booking / hospitality / rooms; "native mobile" →
 glassmorphism / microinteractions / premium typography), and **ranks the seeded skills** by name / tags / description —
 then reads the most relevant ones first. Domain- and style-aware, not generic.
 

package/docs/en/FAQ.md

@@ -114,7 +114,7 @@ The workspace directory is the **source of truth** (`src/lib/fs-workspace.ts`);
 Yes — two supported patterns, plus a caveat:
 
 - **Portable** (`--portable`): the runtime root lives on a **USB drive** mounted as root, carried between machines. Requires `>=32GB` free (fatal below that); `>=32GB` is fine. Binds `0.0.0.0`. Login (email + password) is required — as it is everywhere.
-- **VPS** (`--vps`): Constella runs in Docker on a server and you reach it over your **Tailscale tailnet**. Binds `0.0.0.0`. Login (email + password) required, same as every target.
+- **VPS** (`--vps`): Constella runs natively on a server (npm + systemd) and you reach it over your **Tailscale tailnet** — no Docker; the host itself is the tailnet node. Binds `0.0.0.0`. Login (email + password) required, same as every target.
 
 Caveat: the CLI subscription credentials (`~/.claude/.credentials.json`) live on the host running the agents. Constella copies the operator's Claude credentials into a clean per-agent config dir so agents stay logged in (see Q8), but the **host machine** still needs a valid CLI login. Portable mode carries Constella's data, not necessarily every CLI's auth.
 
@@ -131,14 +131,14 @@ The launch flag is an **install target** (`src/lib/run-mode.ts`), not an auth mo
 | Install target | Launch flag | Bind | Best for |
 | --- | --- | --- | --- |
 | Local (default) | `--start` | `127.0.0.1` | Solo local use on your own machine; agents get **full access** (install deps, run tests) |
-| VPS | `--vps` | `0.0.0.0` | A shared server over Tailscale, runs in Docker; agents **jailed** to edits-only |
+| VPS | `--vps` | `0.0.0.0` | A shared server over Tailscale (native npm + systemd, no Docker); agents **jailed** to edits-only |
 | USB | `--portable` | `0.0.0.0` | A USB you carry between machines; agents **jailed** |
 
 ```mermaid
 flowchart TD
   Q{"Where will it run?"}
   Q -->|My own machine| START["--start local, full agent access"]
-  Q -->|A server I reach remotely| VPS["--vps Docker + Tailscale"]
+  Q -->|A server I reach remotely| VPS["--vps native + Tailscale"]
   Q -->|A USB I carry around| PORT["--portable"]
   START --> AUTH["all targets: signup then login<br/>email + password"]
   VPS --> AUTH

package/docs/en/GOALS_SPECS_ISSUES.md

@@ -230,7 +230,7 @@ stateDiagram-v2
 **New work from a DM** (handled by `planFromConversationFor` → `generatePlanFor`):
 
 ```
-@ada build a billing dashboard with Stripe and a CSV export
+@ada build a billing dashboard with a payment provider and a CSV export
 ```
 
 **Approve from a slash command** ([CHAT_COMMANDS](./CHAT_COMMANDS.md)):

package/docs/en/MCP.md

@@ -33,7 +33,7 @@ scripts/mcp-server.mjs  ──Bearer cn_…──►  /api/v1/[[...path]]  ─
 
 Key properties straight from the source:
 
-- **Zero dependencies.** `scripts/mcp-server.mjs` imports only `node:readline` and uses the global `fetch` (Node 18+). It ships in the compiled distribution unchanged.
+- **Zero dependencies.** `scripts/mcp-server.mjs` imports only `node:readline` and uses the global `fetch` (Node 18+). It ships in the package unchanged.
 - **Hand-rolled MCP.** It implements the JSON-RPC methods `initialize`, `notifications/initialized`, `ping`, `tools/list` and `tools/call` directly — no SDK.
 - **Thin mapping.** Every tool's `build(args)` returns `{ method, path, body? }`, which `callApi` sends to `${BASE}/api/v1${path}` with `Authorization: Bearer ${PAT}` (and `x-constella-org` when `CONSTELLA_ORG` is set).
 - **One credential.** The REST layer (`authenticatePAT` in `src/server/api/pat-auth.ts`) is PAT-only; there is no session. Scope (`read` / `write`) is enforced server-side.
@@ -164,7 +164,7 @@ The MCP server talks to a live server at `CONSTELLA_BASE_URL` (default `http://l
   "mcpServers": {
     "constella": {
       "command": "node",
-      "args": ["C:/Users/Usuario/Documents/constella/scripts/mcp-server.mjs"],
+      "args": ["/path/to/constella/scripts/mcp-server.mjs"],
       "env": {
         "CONSTELLA_PAT": "cn_your_write_token_here",
         "CONSTELLA_BASE_URL": "http://localhost:3000"

package/docs/en/PLUGINS.md

@@ -179,7 +179,7 @@ Two crucial clarifications:
 ### "Install" a placeholder plugin (PARTIAL)
 
 1. Click **Install from URL** in the topbar.
-2. The browser `window.prompt` asks for a URL or name (placeholder text: `github.com/acme/slack-bridge`).
+2. The browser `window.prompt` asks for a URL or name (placeholder text: `github.com/acme/chat-bridge`).
 3. `installPlugin(url.trim())` inserts a non-native row, `enabled: true`, `description: "Installed from URL"`.
 4. Nothing is downloaded or wired. The row is a bookmark only — **this is a mock** (see [Possible states](#possible-states-)).
 
@@ -208,7 +208,7 @@ await togglePlugin(githubPluginId, false);
 ```ts
 import { installPlugin } from "@/server/actions/plugin-actions";
 
-const res = await installPlugin("github.com/acme/slack-bridge");
+const res = await installPlugin("github.com/acme/chat-bridge");
 // res => { ok: true }
 // A non-native row appears in /plugins, enabled, description "Installed from URL".
 // No bridge code runs — it is a catalog bookmark.

package/docs/en/PORTABLE_MODE.md

@@ -347,7 +347,7 @@ $ npx constellai --portable
 
 - **Update** ([UPDATE](./UPDATE.md)) — `detectRunContext()` returns `"portable"`; `startUpdate()` does **not** auto-run on portable. It backs up `.env` + db to `<USB>/.constella/backups/<timestamp>/`, then returns the command and *"Portable: ensure free space, back up the drive, then run: `npm install -g constellai@latest`"* with `needsRestart: true`.
 - **Local models / RAG** ([MODELS](./MODELS.md), [MEMORY_RAG](./MEMORY_RAG.md)) — GGUF models and embed/chat servers run off the drive's runtime root; the 32 GB minimum boots, but local models are why you'd carry a larger drive.
-- **VPS** ([VPS_MODE](./VPS_MODE.md)) — shares the `0.0.0.0` bind; differs in that VPS runs in Docker over a tailnet, portable runs off a drive.
+- **VPS** ([VPS_MODE](./VPS_MODE.md)) — shares the `0.0.0.0` bind; differs in that VPS runs natively on a host over a tailnet (no Docker), portable runs off a drive.
 - **Configuration** ([CONFIGURATION](./CONFIGURATION.md)) — `CONSTELLA_HOME`, `CONSTELLA_RUN_MODE`, `DATABASE_URL` and the secret env vars are documented there.
 
 ---

package/docs/en/PUBLISHING.md

@@ -4,9 +4,9 @@
 
 ![](../assets/divider-orbit.svg)
 
-Publishing is how the central ship leaves the shipyard. Two launches happen, in two directions: the **npm tarball** carries the *compiled runtime* to end users, and the **public Git mirror** carries the *product tree* (docs, launcher, migrations — no source) to `github.com/gabriel7silva/constella`. The private development tree stays home, in orbit, on the `dev` remote. ✦
+Publishing is how the central ship leaves the shipyard. Two launches happen, in two directions: the **npm tarball** carries the *compiled runtime* to end users (the prebuilt `.next`, no build step), and the **public Git repo** carries the *full open-source tree* (`src/`, docs, launcher, migrations) to `github.com/gabriel7silva/constella`. ✦
 
-> **TL;DR** — End users receive a compiled, minified runtime, **never `src/`**. `npm publish` ships the prebuilt `.next`; `scripts/publish-public.mjs --push` mirrors a clean, secret-scanned, source-free tree to the public Git repo. Both refuse to ship secrets.
+> **TL;DR** — End users of the **npm package** receive a compiled, minified runtime (the prebuilt `.next`, no build step) — the tarball never carries `src/`. The **public Git repo** is the open source. `npm publish` ships the prebuilt `.next`; `scripts/publish-public.mjs --push` mirrors a clean, secret-scanned tree to the public Git repo. Both refuse to ship secrets.
 
 ---
 
@@ -27,7 +27,7 @@ This page covers the **two distribution channels** and the gates that protect th
 
 ## How it works 🌌
 
-Constella distributes through **two channels** that share one principle: *ship the product, never the source.*
+Constella distributes through **two channels**: the npm tarball ships the *compiled runtime* (no `src/` in the package), while the public Git repo ships the *open source*.
 
 ```
             ┌────────────────────── dev tree (private) ──────────────────────┐
@@ -42,13 +42,13 @@ Constella distributes through **two channels** that share one principle: *ship t
    │ npm registry: constellai    │               │ public Git: gabriel7silva/      │
    │ COMPILED runtime tarball     │               │ constella (force-pushed mirror) │
    │ .next + bin + drizzle + docs │               │ docs + bin + drizzle + skills   │
-   │ NO src/                      │               │ NO src/, NO .next, NO secrets   │
+   │ NO src/                      │               │ FULL src/ · no .next/secrets   │
    └─────────────────────────────┘               └────────────────────────────────┘
 ```
 
 1. **npm channel** — `npm publish` ships the runtime as a tarball. The `files` allowlist in `package.json` selects exactly what travels; `prepublishOnly` validates the tree; `prepack` (`trim-next.mjs`) strips dev artifacts from `.next` so end users receive only the production runtime.
 2. **Git channel** — `scripts/publish-public.mjs` builds a filtered tree in a *temporary* git index (HEAD minus `src/`/tests, plus the generated `drizzle/` migrations), secret-scans exactly that set, and **force-pushes** it as a fresh root commit to the `public` remote. The compiled `.next` does **not** travel through git — it reaches users via the npm tarball.
-3. **Dual-repo** — the private `dev` remote (`constella-Dev`) keeps the full source history; the `public` remote (`constella`) is a clean, disposable mirror, not a shared history.
+3. **Public repo** — the `public` remote (`constella`) is the open-source home, carrying the full `src/` tree.
 
 > Neither channel carries `src/`. The schema reaches users as generated SQL under `drizzle/`, applied by `drizzle-kit migrate`. See [INSTALLATION](./INSTALLATION.md).
 
@@ -151,7 +151,7 @@ Because the `files` allowlist re-includes the **whole** `.next` directory (overr
 
 ### `publish-public.mjs` — the clean Git mirror
 
-`scripts/publish-public.mjs` produces the **source-free** Git mirror. It never runs automatically; you invoke it deliberately.
+`scripts/publish-public.mjs` produces the open-source public Git tree. It never runs automatically; you invoke it deliberately.
 
 The constant that defines the whole point:
 
@@ -186,10 +186,9 @@ Flow inside the script:
 
 | Remote | Repository | Contains | History |
 | --- | --- | --- | --- |
-| `dev` | `gabriel7silva/constella-Dev` | Full private source tree (`src/`, tests, e2e, history) | Real, preserved |
-| `public` | `gabriel7silva/constella` | Product only (docs, `bin/`, `drizzle/`, `skills/`, configs) | Disposable — overwritten by force-push |
+| `public` | `gabriel7silva/constella` | Open-source tree (`src/`, docs, `bin/`, `drizzle/`, `skills/`, configs) | Maintained history |
 
-The public mirror is **not** a shared-history collaboration target. Each `--push` writes a fresh root commit and force-overwrites `main`. Development happens against `dev`; the npm tarball is published separately from either git push.
+The npm tarball is published separately from the git push.
 
 ---
 
@@ -220,7 +219,7 @@ tar -tf constellai-0.1.0.tgz | sort   # inspect what would ship — confirm no s
 ```bash
 # Dry run — generate migrations if needed, compute the publish set, secret-scan, print the count:
 node scripts/publish-public.mjs
-#   ✓ Clean: <N> files to publish (no src/, no secrets). Migrations: <M> file(s).
+#   ✓ Clean: <N> files to publish (full source, no secrets). Migrations: <M> file(s).
 
 # Push — build the filtered tree in a temp index and force-push to public main:
 node scripts/publish-public.mjs --push
@@ -243,9 +242,9 @@ npm run clean    # scripts/clean-repo.mjs — removes scratch artifacts at the r
 
 ```text
 $ node scripts/publish-public.mjs
-✓ Clean: 412 files to publish (no src/, no secrets). Migrations: 7 file(s).
+✓ Clean: 1712 files to publish (full source, no secrets). Migrations: 7 file(s).
 
-Dry run. To publish the clean compiled tree to the public repo, run:
+Dry run. To publish the clean tree to the public repo, run:
   node scripts/publish-public.mjs --push
 ```
 
@@ -305,8 +304,8 @@ Publishing is a high-trust operation; the design assumes a mistake *will* happen
 - **Source never ships.** Both channels exclude `src/`. The Git mirror checks twice — `EXCLUDE` filters it out, then a final pass aborts if any `src/` path survived.
 - **Secret-scan refuses on any finding.** `publish-public.mjs` blocks on the **first** match per file across 10 inline patterns + a sensitive-filename rule. It is deliberately conservative (`512 KB` text-file cap, placeholder-credential allowance to avoid false positives in docs).
 - **`.env` and DB files are sensitive by filename.** They are blocked even if you never opened them — except the explicit allowlist (`.env.example`, etc.) and `drizzle/*.sql` DDL.
-- **Force-push is intentional.** The public repo is a *clean mirror*, not a collaboration history. It carries no `.next` and no secrets, so overwriting it is safe by construction.
-- **The tarball is compiled.** End users run a minified `.next` and applied SQL migrations — no readable application source, no devDependencies.
+- **The public repo carries no secrets.** The publish set is secret-scanned before every push; it carries no `.next` and no `.env`.
+- **The npm tarball is compiled.** End users of the package run a minified `.next` and applied SQL migrations — no build step, no devDependencies. (The source itself is open on GitHub.)
 - **Secrets live outside the tree.** Runtime secrets are persisted to `<HOME>/.env` (`chmod 600`) and never in the repo; the vault key, worker secret and auth secret are generated at first boot. See [SECURITY](./SECURITY.md).
 
 > The scanner is a safety net, not a substitute for discipline. Keep secrets in `<HOME>/.env` and the vault, never in tracked files.
@@ -340,4 +339,4 @@ Publishing is a high-trust operation; the design assumes a mistake *will* happen
 
 ---
 
-<sub>✦ The shipyard is quiet, the launch is loud. Ship the product, keep the blueprints. 🚀</sub>
+<sub>✦ The shipyard is quiet, the launch is loud. Ship the product, open the blueprints. 🚀</sub>

package/docs/en/README.md

@@ -28,7 +28,7 @@ Auth is always required (email + password), identical everywhere — the launch
 | Doc | What it covers |
 |-----|----------------|
 | [Start (local)](START_MODE.md) | `constella --start`, binds `127.0.0.1` — the default local install |
-| [VPS](VPS_MODE.md) | `constella --vps`, binds `0.0.0.0` over a Tailscale tailnet, Docker |
+| [VPS](VPS_MODE.md) | `constella --vps`, binds `0.0.0.0` over a Tailscale tailnet (native, no Docker) |
 | [Portable (USB)](PORTABLE_MODE.md) | `constella --portable`, runs off a USB drive, binds `0.0.0.0` |
 
 ## 🛰️ Architecture

package/docs/en/SECURITY.md

@@ -26,7 +26,7 @@ Constella layers independent controls so no single failure is catastrophic. The
 ```mermaid
 flowchart TB
   subgraph Edge["🛰️ Network edge"]
-    A1["Run-mode bind: start/auth = 127.0.0.1 · vps/portable = 0.0.0.0 + Tailscale/Docker"]
+    A1["Run-mode bind: start/auth = 127.0.0.1 · vps/portable = 0.0.0.0 + Tailscale"]
     A2["better-auth session gate (email+password · TOTP 2FA · WebAuthn passkeys)"]
     A3["Worker endpoints: x-worker-secret, fail CLOSED"]
   end
@@ -169,10 +169,10 @@ Both hooks **fail open** on any unexpected condition (no context, network glitch
 | --- | --- | --- | --- | --- | --- |
 | `start` (local) | `127.0.0.1` | **on** (default) | `bypassPermissions` | `danger-full-access` | full: install deps + run tests |
 | `auth` | `127.0.0.1` | off | `acceptEdits` | `workspace-write` | edits-only, no network |
-| `vps` | `0.0.0.0` | off | `acceptEdits` | `workspace-write` | edits-only — *plus* the Docker container + Tailscale are the hard jail |
+| `vps` | `0.0.0.0` | off | `acceptEdits` | `workspace-write` | edits-only — *plus* the Tailscale-private host is the hard boundary |
 | `portable` | `0.0.0.0` | off | `acceptEdits` | `workspace-write` | edits-only |
 
-Defense-in-depth: prod modes already run inside Docker + Tailscale (the container is the real jail); the CLI stays restricted on top. Two more agent-spawn protections:
+Defense-in-depth: prod modes already run on a private host behind Tailscale (the tailnet-only host is the real boundary); the CLI stays restricted on top. Two more agent-spawn protections:
 
 - **Vanilla agents** — agents run independent of the operator's personal `~/.claude` hooks/plugins via a `--settings {disableAllHooks:true}` overlay (or a clean `CLAUDE_CONFIG_DIR` carrying only Constella's lock/guard hooks). Auth stays intact (the operator's credentials are copied in).
 - **No shell injection via model id** — `safeModel()` / `safeModelSlash()` validate the model string (which originates from agent-writable `Agent.md` frontmatter) against a strict charset before it reaches argv on a `shell: true` spawn, so `sonnet"; rm -rf ~` can't be re-parsed by the shell. Git/`gh` calls use `shell: false` so branch/message/path args are passed literally.

package/docs/en/START_MODE.md

@@ -258,7 +258,7 @@ A local install trades network hardening for local convenience — safe precisel
 - **Authentication always on.** A real signup-then-login gate guards every session — there is no auto-login and no predictable credential. The single operator is whoever completes the first-run signup.
 - **Real auth secret persisted.** A real `BETTER_AUTH_SECRET` is generated to `<HOME>/.env` (`chmod 600`) so sessions aren't forgeable; cookies are non-`Secure` only because the local transport is plain `http`.
 - **Full-access agents are local-only.** `bypassPermissions` lets agents run shell, but the workspace is still an FS jail (`safe()` lexical + symlink checks), and the guard/lock hooks still apply. Set `CONSTELLA_AGENT_FULL_ACCESS=0` to re-jail.
-- **Do not port-forward a local install.** If you need remote access, use [VPS](./VPS_MODE.md) (Tailscale + Docker) — never expose the loopback install to a network.
+- **Do not port-forward a local install.** If you need remote access, use [VPS](./VPS_MODE.md) (Tailscale, native) — never expose the loopback install to a network.
 
 ---
 

package/docs/en/TELEGRAM.md

@@ -231,7 +231,7 @@ A message with neither text nor any saved attachment is dropped.
 /approve                     → queue tasks
 /start_execution             → approve + 24/7 ON
 /pause   /resume             → flip 24/7
-/reject use Stripe not PayPal→ send plan back with a reason
+/reject use a different payment provider → send plan back with a reason
 /cancel  /archive            → stop / park the active goal
 /kb how does auth work?      → ask the Knowledge Base
 just talk normally           → chat with the CEO (Ada)